tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Valid values for digestEncoding attribute?
Date Fri, 28 Jan 2011 14:37:01 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Etienne,

On 1/28/2011 7:59 AM, Ing. Etienne V. Depasquale wrote:
> Yes, I am using DIGEST authentication.
> 
> But what about the www-authenticate HTTP/1.1 header that Tomcat sends over
> to the browser? Is it ignored by any browser, simply defaulting to MD5?

I'm sorry, I misspoke. You're right: there is a way for the server to
tell the client what kind of digest algorithm to use, but there is no
/negotiation/: the server can't give the client a choice, and the client
can't tell the server what algorithm it chose.

The spec only defines MD5 as the default (and only choice for) algorithm
so web browsers have only implemented MD5.

If you can demonstrate that a web browser will use SHA-1 (which is, by
the way, also a useless algorithm like MD5 these days), I'd be very
happy to see it. I'm guessing that Firefox and Google Chrome are the
only candidates for that kind of thing.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1C1I0ACgkQ9CaO5/Lv0PBo2wCeM8GswwNUimW/aQ2bJ/O4vOoW
zooAn0uQTcu8D8gbb8TRklc0bmlvUXHl
=Wong
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message